Cyber Incident Victim: Florida Virtual Learning School
Date:
May 2016
Location:
United States of America
Summary
A third-party vendor's unsecured server exposed sensitive personal information of approximately 368,000 current and former students affiliated with Florida Virtual School, along with data from over 4,000 teachers and staff at Leon County Schools. The breach involved plaintext records including Social Security numbers, addresses, contact details, academic information, vaccination histories, disciplinary reports, and parent data, accessible without authentication for an extended period. The exposure was initially discovered by an independent researcher and later reuploaded by a forum user who alerted authorities, contradicting the vendor's subsequent claims of a hacking incident. Evidence indicated the data was compromised due to inadequate access controls rather than external exploitation, with the responsible party offering assistance to secure the systems despite publicly sharing portions of the dataset.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The exposure of sensitive data involving Florida Virtual School (FLVS) and Leon County Schools (LCS) originated from an unsecured server maintained by a third-party vendor. The breach was first publicly disclosed in February 2018 when an individual using the alias "$2a$45" posted databases on a forum containing records from both educational institutions. According to the forum post, the data had been exposed due to a vendor error and included comprehensive information on 35,000 LCS students, 18,000 parent addresses, and 4,000 LCS teachers. Teacher records exposed Social Security numbers, dates of birth, contact information, and email addresses, while student records included identifiers, demographic details, addresses, phone numbers, lunch PINs, and academic information. The forum poster additionally referenced vaccination records, disciplinary reports, report cards, and sibling information in the full dataset. All exposed data was stored in plain text without encryption or password protection. Neither LCS nor FLVS were aware of the exposure until DataBreaches.net alerted them on February 11-12, 2018, after discovering the forum listing.
Evidence indicated the data had been accessible since at least May 2016, with a security researcher first identifying the vulnerability in June 2017. The same exposed information was reuploaded by the forum poster in February 2018. FLVS's public notification referenced a security incident occurring between May 2016 and February 2018 affecting 368,000 current and former students, but this characterization conflicted with available evidence showing the data was left openly accessible on an unsecured server rather than being actively hacked. The forum poster did not attempt financial extortion but instead offered assistance to LCS in securing the data. Despite FLVS's implication of external attackers, the incident stemmed from access control failures at the vendor level, with no technical breach required to obtain the information. The exposure lasted nearly two years before remediation efforts began following the 2018 disclosure.